[Oisf-devel] Announcing an IDS/IPS rules parser

Martin Holste mcholste at gmail.com
Wed Mar 30 22:03:10 UTC 2011

Cool, I may have to check that out.  I did a similar thing in a
quick-and-dirty way using the Parse::Snort Perl module in an effort to
auto-create rules to make an IDS based on httpry.  The goal was to
find all Snort rules which are only alerting on URI param keys and
values and then split all URL's coming in via httpry and Perl.  Since
split is cheap, this can be done at very low load on a high-traffic
network.  Unfortunately, I found that it was more trouble than I have
time for right now to smooth out all of the mis-parsed rules, so
hopefully your code doesn't have the same issues on some of the more
esoteric rule options like "filedata" that Parse::Snort chokes on.

However, it was a really interesting way to look at rules:  It created
an array of hashes in which a given content match string was mapped to
an array of SID's and a SID was mapped to its content matches.  When
you view the rules like that, the almost-duplicate rules pop out and
you can see all of the inefficiency that's been creeping in as time
goes on.

On Wed, Mar 30, 2011 at 4:02 PM, Xavier Lange <xrlange at gmail.com> wrote:
> We recently scratched an itch allowing us to take *.rules formatted
> files and turn them into an array of hashes -- a simple translation
> which makes all the difference when using rule data outside of the
> IDS/IPS! The grammar has been tested successfully against the ET
> ruleset.
> The software is written for Ruby and uses a parsing expression
> grammar. It provides easy access to the rule data through a) native
> ruby structures, b) a file convertor for *.rules -> *.json. This could
> be a good tool for putting rules in to your alert database.
> Project page with documentation/code:
> https://github.com/derdewey/ids_rules_parser
> Please feel free to contact me though github if you have further
> questions. Patches are welcome!
> Xavier
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel

More information about the Oisf-devel mailing list